Move local group memberships between directories in Jira server
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Please review Migrating Users between User Directories first before going through this KB article.
This process requires the use of a third-party plugin as well as a script that runs externally of a JIRA application. As such, this process is not officially supported by Atlassian and the information on this page is provided as-is.
Please notice, for Server licensed Jira, the applications ended sales on February 15, 2024 PT. Server app renewals will automatically be prorated until the end of support for server on Feb 15, 2024.
When to use this KB
Currently, Jira handles group membership separate per directory. We have this open suggestion to make local group membership applied globally across directories, but in the meantime this KB will help you migrate your group memberships between any combination of the following directory types:
- LDAP Directories with Local Groups (including Microsoft Active Directory)
- Internal Directory with LDAP Authentication
- Internal Directory
Find out how easy, scalable and effective it can be with Crowd!
See centralized user management.
Step 1: Create a CSV of user-group relationships
First, you will need to create a CSV by exporting the username and group pairing of all users in your directory. You will need the directory ID for the source users and groups. To find out your directory ID, run the following query:
SELECT id, directory_name, description, directory_type
FROM cwd_directory;MySQL and Postgres queries are provided below that will create the proper output for the CSV file (It has to be a CSV file).
MySQL
SELECT cu.lower_user_name, cg.group_name
FROM cwd_user cu
JOIN cwd_membership cm ON cu.id=cm.child_id
JOIN cwd_group cg ON cm.parent_id=cg.id
WHERE cu.directory_id=<source_directory_id> AND cg.directory_id=<source_directory_id>
INTO OUTFILE '/tmp/outfile.csv'
FIELDS TERMINATED BY ','
ENCLOSED BY ''
LINES TERMINATED BY '\n';PostgreSQL
COPY (
SELECT cu.lower_user_name, cg.group_name
FROM cwd_user cu
JOIN cwd_membership cm
ON cu.id=cm.child_id
JOIN cwd_group cg
ON cm.parent_id=cg.id
WHERE cu.directory_id=<souce_directory_id> AND cg.directory_id=<souce_directory_id>
)
TO '/tmp/user-groups.csv'
WITH CSV;MSSQL
For Microsoft SQL, you can use the following query, then export the output table grid to CSV:
SELECT cu.lower_user_name, cg.group_name
FROM cwd_user cu
JOIN cwd_membership cm ON cu.id=cm.child_id
JOIN cwd_group cg ON cm.parent_id=cg.id
WHERE cu.directory_id=<source_directory_id> AND cg.directory_id=<source_directory_id>If you are migrating from and either of the LDAP-backed directories with local and external groups, and you do not want your LDAP groups added to your internal directory, add cg.local='1' to your WHERE clause. This is not necessary if your source directory is a standard internal directory.
The output of these queries should create a csv with content similar to the following:
admin,jira-administrators
admin,jira-developers
admin,jira-usersStep 2: Create your new directory and add users
The most common directories to migrate local memberships to are LDAP Directories with Local Groups or an Internal Directory with LDAP Authentication, but you can also use this method for a newly created Internal Directory. Once you have created your desired directory, you will need to meet the following prerequisites:
- The new directory must be moved to the top of the directory list in JIRA Administration >> User Directories.
All of the usernames that need their group memberships migrated need to already exist in the new directory. In an LDAP directory that supports syncing, this will happen automatically once you create the directory. For an internal directory, you will need to populate the directory manually. This can be accomplished via the CLI with the runFromCsv along with the addUser actions. Each line in your CSV will need to be in the format: user,password,email,fullName
You can alter the SQL statements above so that the select portion of the query pulls the necessary columns to create an addUser CSV. For example,
SELECT lower_user_name, 'password', email_address, display_name FROM cwd_user JOIN..., replacing password with any random string for a temporary password. Your users can then use the password reset option before logging into JIRA after the migration.
Step 3: Install the Atlassian CLI Tool
Download and install the Atlassian CLI plugin (via
Cog > Manage Apps > Manage Apps > Upload add-on)Generate a new evaluation license through https://my.atlassian.com (MAC) and attach the license to make it work.
Details on usage can be found on the JIRA CLI wiki page. - Download the CLI client from the page.
Step 4: Use the CLI to add users to their groups
These instructions were written for JIRA CLI version 9 and may need to be adapted to later versions.
Make sure that the first line of the CSV file is made of the headers, followed by the users and groups. For example:
userId,group
john,group1
mike,group2
The CLI tool has a built-in action that will automatically add users to groups using a CSV. Run the following command from the CLI directory root directory:
./acli --server <BASE_URL> --user "<username>" --password "<password>" --action runFromCsv --file "/path/to/test.csv" --continue --common "--action addUserToGroup --autoGroup --continue"For Windows users, replace ./acli by acli.bat. Once the script has completed, you can move the new directory to any order you prefer. If you are unsure of how ordering your directories affects authentication and permissions, there is more information available in our doc on Managing Multiple Directories.
After migration, the users will need to login against the new directory before the user can receive any notifications, or be added as Participants or Watchers.